Friday, May 1, 2009

Consuming WCF services on SSL

Okay so its been ages since i posted something here and just now i struggled with a problem which i struggled with so many times during the past 2-3 months. So i decided to document the solution here as it might help someone else or me to fix this sometime in future :).
So I am working with a WCF service exposed over IIS with SSL binding.
I setup a WCF client for consuming this service and everything was supposed to work out of the box. However there are hiccups which one faces. And the worse is that you start getting security exceptions which give hardly any information about what the problem could be. All i was able to understand was that there's a problem establishing a secure connection over TLS/SSL.
So here are a few troubleshooting steps
1) If its the development/test environment and you are using a SSL certificate issued by an internal authority then ensure that you have the root certificate authority installed in your trusted authoritites store. (In a typical development environment certificates are stored on a shared folder and all the people in team use different copies of certificates from this shared folder. Sometimes certificate authority certificate has versions and the one you trust is a different version itself). So the safest option is to hit the service from IE. Check the certificate , export the root certificate authority in a .CER file and install it in your local machine store. Byu default the wizard will install it in your personal store though its a good idea to copy it to local machine store because you might be using some other account to consume this service.

2) Another problem one faces quite often in the development environment is that the SSL certificate is issued to a specific machine while multiple developers use the same certificate to work in parallel. In such a case the consumer of this service might face an exception as the name of the machine to which the certificate has been issued is different then the name of the machine it is being presented by. To skip this check we can configure the ServicePointManager component in .NET to skip the name verification process. To do this add the following section to your config file for the WCF client....

I'll update this post as i face more issues with SSL......


PS :- I am working on a reusable Performance counter application block which i might publish on this blog in some time.

No comments: